A good reason to run your own recursive DNS servers. And a wonderful project that makes this incredibly easy is Pi-Hole, which you can run on a Raspberry Pi. Add Unbound recursive DNS resolver and you’ll have a very secure DNS resolver that will go to the authoritative server responsible for the site you trying to access. This will also protect you from your ISP tracking your DNS lookups with their servers. And this will add advertisement, malware and telemetry blocking; with many lists available you can add as currently I have over a millions sites that are blocked. And you can add your Pi-Hole DNS resolver to your router so it is used by all devices on your home network which is great for adding ad blocking to smartphones. I even run Pi-Hole on my own VPN server so when I’m hiding my home IP I also have my own DNS server with the same blocking.
By Sergiu Gatlan
A Chinese hacking group tracked as StormBamboo has compromised an undisclosed internet service provider (ISP) to poison automatic software updates with malware.
Also tracked as Evasive Panda, Daggerfly, and StormCloud, this cyber-espionage group has been active since at least 2012, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries.
On Friday, Volexity threat researchers revealed that the Chinese cyber-espionage gang had exploited insecure HTTP software update mechanisms that didn’t validate digital signatures to deploy malware payloads on victims’ Windows and macOS devices.
“When these applications went to retrieve their updates, instead of installing the intended update, they would install malware, including but not limited to MACMA and POCOSTICK (aka MGBot),” cybersecurity company Volexity explained in a report published on Friday.
To do that, the attackers intercepted and modified victims’ DNS requests and poisoned them with malicious IP addresses. This delivered the malware to the targets’ systems from StormBamboo’s command-and-control servers without requiring user interaction.
For instance, they took advantage of 5KPlayer requests to update the youtube-dl dependency to push a backdoored installer hosted on their C2 servers.
After compromising the target’s systems, the threat actors installed a malicious Google Chrome extension (ReloadText), which allowed them to harvest and steal browser cookies and mail data.
“Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware,” the researchers added.
“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”
In April 2023, ESET threat researchers also observed the hacking group deploying the Pocostick (MGBot) Windows backdoor by abusing the automatic update mechanism for the Tencent QQ messaging application in attacks targeting international NGOs (non-governmental organizations).
Almost a year later, in July 2024, Symantec’s threat hunting team spotted the Chinese hackers targeting an American NGO in China and multiple organizations in Taiwan with new Macma macOS backdoor and Nightdoor Windows malware versions.
In both cases, although the attackers’ skill was evident, the researchers believed it was either a supply chain attack or an adversary-in-the-middle (AITM) attack but weren’t able to pin down the exact attack method.